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Abstract 

In a recent note (arXiv: 1 209. 2423 ) Renner claims that the criticisms of Hirota and Yuen on the security 
foundation of quantum key distribution arose from a logical mistake. In this paper it is shown that Renner 
misrepresents the claims of Yuen and also Hirota while adopting one main theorem of Yuen in lieu of his 
own previous error. This leads to his incoherent position which ignores quantitative security criterion levels 
that undermine the current security claims, a main point of the Yuen and Hirota criticisms. This security 
criterion issue has never been properly addressed m the literature and is here fully discussed, as are several 
common misconceptions on QKD security. Other foundational issues are touched upon to bring out further 
the present precarious state of quantum key distribution security proofs. 
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I INTRODUCTION 

In this paper we will respond to the recent Reply pa- 
per by Renner [1] that the criticisms of Yuen [2-5] 
and Hirota [6] on the security of quantum key dis- 
tribution (QKD) protocols are derived from a logical 
error. While Hirota could speak for himself, some 
related points in his paper would be included in our 
discussion. Renner explicitly attributes an equivo- 
cal claim to us, and by an incorrect argument in a 
footnote, claims to produce a counter-example to our 
conclusion. In truth, the precise form of our claim 
has been repeatedly given in [2-5]. Rather, Renner 
made a fundamental error in [7-8] which has become 
the standard interpretation of the trace distance cri- 
terion d widely employed in QKD. This incorrect in- 
terpretation leads to the current prevalent QKD secu- 
rity claim that the generated key K has a probability 
p > 1 — d of being ideal [9-11]. In actuality, K is not 
ideal with probability 1 for > and may have a 
probability d of being found in total by an attacker 
Eve [2-5]. As brought out in detail in section HI, the 
correct meaning of d gives a much weaker security 
guarantee than the wrong interpretation in general. 
It is the consequence of this error in concrete QKD 
protocols that Yuen and Hirota pointed out, which 
is beyond rational dispute as will be shown in this 



paper. 

Security is a quantitative issue. The exact level one 
has for a given ^-bit key K is crucially important. In 
[1] I is taken to be 10'^ and d = 10"^°. There are two 
sorts of security, "raw security" [3] before K is used 
and composition security where Eve has additional 
information about it when K is used, for example 
from a known-plaintext attack. In raw security, the 
ideal situation occurs when K has the uniform dis- 
tribution U to Eve. Since the earlier days of QKD 
[12], "unconditional security" means the security re- 
sult holds against all attacks allowed by the laws of 
quantum physics, with quantitative information the- 
oretic security level that can be made arbitrarily close 
to ideal through a security parameter. If d is the max- 
imum failure probability with "failure" meaning the 
key is not ideal [7-11], security would be perfect with 
a large probability p> \~ d, but that is false. When 
K has a distribution P to Eve, its quality is often 
measured by a single-number security criterion, say 
the variational distance 5{P, U) between P and U . 
Since (5 or d is not a bound on 1 — p, operational se- 
curity meaning has to be given to them through Eve's 
probabilities of success in estimating various portions 
of K and through Eve's average bit error rate (BER) 
[2-5]. 
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This paper would provide the details to elaborate 
on the following: 

(1) What Renner Claimed Before The Reply — 
The trace distance d is defined in (TD) of [1] with 
(TD) meaning d < e, equation (1) of [1] says 

(TD) ^ (UC secrecy) (1) 

In [7-11] before this Reply paper [1], UC secrecy 
(of level at least e, or "e-secrecy" ) means the gen- 
erated K is ideal with probability p > 1 — e. This 
is often phrased in terms of the "failure probabil- 
ity" 1 — p being less than e. Thus, with d inter- 
preted as the maximum failure probability [7-11], 
(1) is obtained to guarantee e-secrecy when the 
level of d is bounded by e. 

(2) What Yuen And Hirota Claimed — 

It was shown [2-5] that Rcnner's interpretation of 
d is incorrect and in fact K is not uniform with 
probability 1 when d > 0, i.e., p = 0. Further- 
more, the levels of d obtained in concrete pro- 
tocols, in theory [13] not to say in experiment 
[14], imply K is very poor compared to U [2-6], 
for both raw and known-plaintext attack security 
and for both Eve's sequence success probabilities 
and BER. 

(3) What Renner Claimed In His Reply — 

The meaning of (1) is now equivocal in [1], In 
paragraph two, UC secrecy is still claimed to be 
"e-secret" with a failure probability < e, but the 
explanation of failure probability in footnote [14] 
is given in terms of the correct sequence probabil- 
ity meaning of d first described in [5] but with no 
reference. The BER meaning is not given. These 
two interpretations of UC secrecy in [1] are con- 
tradictory, as indicated in point (2) above. By 
an arbitrary stipulation in footnote [15], it is de- 
clared in [1] that d = IQ-^o for an / = 10*^ bit 
key is sufficiently secure. Together with distort- 
ing our correct claim that the condition (HY) 
means the key is near-uniform to that it is nec- 
essary for security, a "logical error" on Yuen and 
Hirota is manufactured in [1] through a counter- 
example in footnote [19]. This counter-example 
itself is infused with error and confusion, includ- 
ing the same conceptual confusion that leads to 
the error described in (1) above. 

(4) What Is Wrong With The Security Claim In [1] 

In addition to the above point (2) there are 
fundamental problems on the claims in [1] for 



from uniform, it cannot be used to subtract for 
leakECi Eve's information gain from error cor- 
rection, that is employed in all recent security 
proofs. Also, why is such d level "sufficient" for 
security? When K is not near-uniform, only the 
users in a specific application can decide whether 
a given d level is sufficient. It cannot be pre- 
scribed in advance at d = 10~^°. It is the re- 
sponsibility of the security analyst to spell out 
clearly the key rate and security level tradeoff. 
Note that according to the most up to date the- 
oretical analysis of single-photon BB84 in [13], 
d = 10~^" is nowhere to be found. Already in 
their presented results the key rate is reduced to 
effectively zero at = 10~^^, with a one-bit K 
generated before message authentication bits are 
accounted for. 

When the average guarantee in the security 
proofs is converted to individual guarantee nec- 
essary for security claim on an individual system, 
the level is reduced from d to d^/^ for Eve's se- 
quence success probabilities [4]. Thus, d = 10~^° 
[1] reduces to d^'^ > 10"^. For d = 10"" [13], 

^1/3 > iQ-5 g^j^^ foj. ^ ^ iQ-6 Ji4]^ ^1/3 ^ iQ-2 

These are poor to very poor security guarantees 
for any application, and they remain so even un- 
der the wrong interpretation. Such quantitative 
issues are among the main claims of [2-6] not ad- 
dressed in [1]. 

(5) What Are The Other QKD Security Foundation 

Issues — 

There are many other basic problems in the 
known QKD security proofs that have been 
raised additionally in [15-19] but not touched 
upon in [1] despite its title and references. There 
are also several common but fundamental mis- 
conceptions in QKD security that should be clar- 
ified. A most significant misconception is that 
there is a security parameter in QKD protocols 
that can bring security to an arbitrarily good 
level if the key rate is below a certain threshold. 

In this paper, we will explain points (l)-(5) in de- 
tail. In section II we will explain the above criterion 
issue to settle the matter once for all. We will start 
by dispelling a common misconception that QKD se- 
curity is guaranteed by the laws of quantum physics, 
either no-cloning or whatever Uncertainty Relation. 
The necessary condition for operational quantitative 
security will be given. We will describe the severe 
reduction of the guaranteed d level to d^/"^, and the 
importance of bringing Eve's BER on K close to 1/2. 
While many details on the points about d itself can 
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be fomid from [2-5], in section III we will make just 
one basic point on the error of interpreting d as max- 
imum failure probability, namely a new fundamental 
argument on why the 'proof of such an interpreta- 
tion given in [7-8] involving a joint distribution is not 
only invalid but is in fact irrelevant to the issue. All 
the security points raised in [1] will be addressed. In 
section IV various security proof issues concerning 
BB84 type protocols will be touched upon. We will 
bring out the inevitable exchange of key rate and se- 
curity level in QKD systems, with the important con- 
sequence that there is no security parameter in QKD 
protocols that would render it arbitrarily secure for a 
fixed key rate. We will point out the incorrect step of 
subtracting leaksc to account for information leak 
due to error correction. Some common misconcep- 
tions about QKD security are summarized in section 
V. 

The upshot is that the security foundation of QKD 
is indeed very much shaken. General security cannot 
be established by experiments and can only be proved 
theoretically. The present predicament is that it is 
not clear why and how a concrete QKD protocol can 
be proved secure in principle. 

II QKD SECURITY CRITE- 
RION AND NECESSARY 
SECURITY CONDITIONS 

In a QKD protocol of the BB84 type [20] two users A 
and B try to establish a sequence of secret bits, the 
generated key K, between themselves that no eaves- 
dropper Eve can know even with any active attack. 
The security is often claimed to be based on the laws 
of quantum physics as if the latter have to be vio- 
lated in order for Eve to succeed. It is clear that 
quantum no-cloning is a necessary but far from suf- 
ficient condition for security. In particular, the pos- 
sibility of approximate cloning shows the issue is a 
more complicated quantitative one. The more preva- 
lent intuitive security idea is quantum disturbance- 
information trade-off, that the users could tell the 
presence of Eve by monitoring the system disturbance 
level if she gains an amount of "information" on K 
exceeding a given design level. Indeed, intrusion level 
estimation is a key part of all the typical QKD ap- 
proaches. Henceforth the term QKD is used with 
the understanding that intrusion level estimation is 
involved. 

To get sizable disturbance relative to the signal 
that can be readily estimated in QKD, the signal level 
needs to be low, say a single photon in BB84. Thus, 



the disturbance induced by Eve is easily masked by 
other unavoidable disturbance in a concrete realis- 
tic system even when such imperfection is small for 
other purposes. Furthermore, in an active attack Eve 
could in principle transform the quantum signals in 
many different ways and the users have to estimate 
her information gain under a given level of tolerable 
disturbance. It is now clear that security is a quan- 
titative and complicated matter, and that there is no 
simple intuitive reason why any net key bits can be 
generated in QKD with whatever security, especially 
when the bits used for message authentication neces- 
sary for defending against man-in-the-middle attack 
are counted. 

What security criterion should one use to measure 
the quantitative security level and why? In the liter- 
ature this issue has never been correctly addressed. 
The mutual (accessible) information was used from 
the beginning but was found to contain a major loop- 
hole [21,22] and is by now largely abandoned. The 
trace distance criterion d [23,7-8] is at present nearly 
universally employed in QKD security analysis which 
is cited in [1] as the criterion that leads to "UC se- 
crecy" . 

What is the level of d needed for UC secrecy? 
While one can distinguish perfect secrecy from UC 
secrecy, adequate UC security cannot be established 
by mere terminology or definition. It appears that 
the QKD security criterion is often thought to be a 
matter of choice by the designer, a wrong conception 
as we show presently. In [5] the following criteria 
are given in terms of Eve's optimal probabilities pi 
of successfully estimating various subsets of K from 
her attack. For raw security [3] where Eve only has 
information from the key generation process, the con- 
ditions are, with K* being any subset of K and for 
any value k* of K*, 

pi(r)< 2-1^*1 +e' (2) 

for some chosen level e' [5]. Under known-plaintext 
attack where Eve knows a subset segment Ki = ki 
of K and estimates a subset in the rest of K, the 
condition is, for some level of e", 

Pi(A:2*|Xi = A:i) < 2-1^51 +e" (3) 

These probabilities have direct operational meaning 
in contrast to theoretical entities such as d or mutual 
information. The users have to decide what the e' and 
e" are for the cryptosystem to be sufficiently secure 
operationally in a particular application. In particu- 
lar, if these levels cannot be guaranteed it means Eve 
may be able to guess the key portion K* or K2 with 
a probability exceeding the prescribed level chosen by 
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the users, thus the cryptosystem is not proven secure 
to its operational specification! Hence (2)- (3) are nec- 
essary conditions for security. They are not sufficient 
for one-time pad use of K, as discussed later. 

Among different composition security situations, 
known-plaintext attacks have to be included in QKD 
security proofs. As discussed in [3], the raw security 
of conventional symmetric-key ciphers is far better 
than that of concrete QKD systems. 

As explained in [2], Eve derives from her probe 
measurement a whole distribution P on all the 2' 
possible K values. A single-number criterion merely 
expresses a constraint on P, but P itself should be 
compared to U for operational security guarantees. 
In particular, one has the form given in the left sides 
of (2)- (3) above for Eve's sequence success probabil- 
ities. In the ideal case, e' = e" = in (2)-(3). The 
levels e' and e" can be stipulated by the system de- 
signer for different security needs. Under a d < e 
guarantee, (2)-(3) hold only when averaged over all 
relevant key values [5] with e' = e" = e. 

From Markov inequality [24] such average guaran- 
tee can be converted into the individual guarantees 
(2)-(3) for proper comparison with U [25]. Opera- 
tionally, average guarantee is not sufficient also be- 
cause "failure probability" of some sort is required in 
the quality control of individual items in any produc- 
tion system. Thus, we have (2)- (3) with 

e' = e" = (4) 

due to averaging of d with respect to the possible K 
values and the privacy amplification codes given in 
security proofs [4,5]. 

Our averaged conditions [5] are obtained for the 
classical variational distance [24] which is bounded 
by d upon measurement from Eve. They do not seem 
to have appeared before [26] in either the classical 
or quantum literature other than deterministic bit 
leak in raw security brought up in [3]. Probabilis- 
tic bit leaks of any level are covered in (2)-(3), and 
such leaks must also be guaranteed by quantitative 
bounds. Note that equality can be achieved for these 
bounds, i.e., there are Eve's distributions on K com- 
patible with the d < e guarantee which satisfy (2)-(3) 
with equality [2-5] . This shows they can be used with 
equality to measure the quantitative security guaran- 
tee on K. 

What would be a sufficient condition for security? 
If e' and e" are not small in the right scale with re- 
spect to /, (2)-(3) may not be sufficient depending on 
the application. Recall that the comparison reference 
of the distribution P of is U. When K is used in 
one-time pad form, in addition to (2)- (3) Eve's aver- 
age BER pi, in her estimate of the K bits has to be 



close to f/2 for security. (Note that pi, accounts for 
the correlation between the bits in K from its defini- 
tion [4].) This is well known in data communications 
and is easily seen, that an incorrect sequcinec; estimate 
on K may nevertheless produce a preponderance of 
correctlyy estimated key bits similar to what one may 
get from a biased a priori distribution of K that is 
different from U. It turns out that [4] only 

^-P6<rfVVlog2e (5) 

can be guaranteed for the whole K in raw security, 
there is no subset guarantee for either raw or known- 
plaintext attack security. However, if d ^ 2~' for I ^> 
1 so that K is near-uniform, it appears K should be 
quantitatively secure for all conceivable applications 
as stated in [15]. Note that no composition security 
argument from the mere form of d [23] can guarantee 
Pb under known-plaintext attacks [4], while the wrong 
interpretation can [11], because K is U with a high 
probability p > 1 — d. 

Ill THE INCORRECT IN- 
TERPRETATION OF d 
AND CLASSICAL CRYP- 
TOGRAPHY 

The prevalent interpretation is that d gives the prob- 
ability that K is different from U with Eve's probe 
disconnected from K and thus giving composition se- 
curity also [7-11]. This interpretation has repeatedly 
been pointed out to be incorrect in [2-5] to no avail, 
until the appearance of [1] , which no longer cites such 
an interpretation but instead the correct one! The 
origin of the error comes from the interpretation of 
the variational distance 6{P, Q), 

S{P,Q) = lJ2\P-Q^\ (6) 

i 

between two classical probability distributions P and 
Q which is given to Proposition 2.1.1 in [7], that 
"the two settings described by P and P' , respectively, 
cannot differ with probability more than e." In our 
present notation or that of [8], P' = Q, and d is in- 
terpreted equivalently from Lemma 1 of [8] as the 
"probability that two random experiments described 
by P and Q, respectively, are different". We would 
not repeat the reasons and simple counter-examples 
[2-5] on why this interpretation is wrong. It does not 
follow from the mathematical statement of his Propo- 
sition 2.1.1, or the equivalent Lemma 1 of [8], through 
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a joint dist ribut ion which gives P and Q as marginals, 
but rather from conceptual and verbal confusions. In- 
stead, we point out here that any such joint distribu- 
tion is irrelevant to the meaning of S{P,Q). This is 
simply because the marginal distribution is just P re- 
gardless of what the underlying space of P is joined 
to. P does not suddenly become Q with a probablity 
6{P, Q) in the presence of the given joint distribution. 
The wrong interpretation arose from basic conceptual 
confusions about the relation of probability concepts 
to the real world. It is amazing that it has perpetu- 
ated as far and as long as it has. 

The variational distance is a well studied concept 
and nowhere else could one find such a strong inter- 
pretation as given in [7-8]. In particular, d is not so 
interpreted in [23] . Indeed, it is shown in [3] and eas- 
ily seen from (6) that when d > 0, the distribution 
of K is not U with probability 1 (no probability is- 
sue here really) instead of d. Subtle and equivocal 
words in [1] may suggest that the wrong and cor- 
rect interpretations of d (equivalently 5) are similar. 
Although the two interpretations quantitatively con- 
tradict each other, one may perhaps think they are 
numerically close. In particular, since "failure" in- 
cludes the event where the whole K is compromised, 
it is important to understand the difference between 
the two interpretations precisely, as follows. 

Prior to ref [5], which correctly proves known- 
plaintext attack security under d < e for the 
first time, in the literature there are two incor- 
rect/incomplete proofs of universal composition se- 
curity. One of them [11] is invalid since it utilizes the 
wrong interpretation of d. With (3) from [5] , known- 
plaintext attack security is established for Eve's se- 
quence success probabilities but there is no simi- 
lar guarantee for Eve's BER. In contrast, under the 
wrong interpretation Eve's BER Pb = \ with a prob- 
ability > 1 — cZ for every k, on which counter-examples 
are easily constructed. In general, each different com- 
position situation has to be treated under the correct 
meaning of d for quantitative guarantee, which can- 
not be given by just d or 5 since they are not opera- 
tional criteria. This fact alone shows the composition 
security claim on d in [23] in incomplete or invalid, 
since mathematical representation of operation secu- 
rity is lacking. 

A further difference is that if K is not at least near 
uniform, one cannot use it to subtract for the bits 
leakEc, given by (8) in section IV, while such bits 
need to be used in the middle of a valid security proof. 
Another difference is that Markov inequality needs to 
be applied only once under the wrong interpretation 
since there is no i^-average needed, which results in 
d^/"^ instead of d^/^ in (4). 



Even assuming the wrong interpretation is true, 
the relatively large value of d that can be obtained 
is quite worrysome. For d = 10~^°, the operational 
guarantee (2)- (3) for a 10^ bit key is not better than 
that of a 66 bit key! An arbitrary reason of sys- 
tem imperfection level given in footnote [15] of [1] 
is used to justify such numerical values. But why is 
d = 10~^° sufficient for UC secrecy? In fact, the raw 
security operational guarantee (l)-(2) for d = 10~^° is 
much worse than that obtained in conventional sym- 
metric key ciphers [3]. 

Furthermore, there is no hint that such a d level of 
10"^" can be obtained in a concrete protocol. If one 
takes into account Markov inequality for individual 
guarantee as discussed in section II, only an effec- 
tive d^/^ > 10"'^ is obtained for d = IQ-^o after the 
K value average and privacy amplification code aver- 
age are accounted for [4]. The eS'ective d^/^ value of 
> 10"'' for d = 10^^" is already very large for I = 10^, 
not to say / = 10^. The only concrete experimen- 
tal protocol with quantified security level is given in 
[14,27] with effectively d = 10'^. Then dV3 = 10-2 
from [14] may entail a very drastic breach of secu- 
rity. Note that the d = W~^^ level cannot even be 
achieved for a positive key rate in a "tight finite- 
key" analysis of single-photon BB84 [13], for which 
the best d = 10~^* is obtained for Z = 1! It should 
be emphasized that these effective d^^"^ values give 
poor security guarantee even according to the wrong 
interpretation. The corresponding BER guarantee of 
(5) is similarly poor. 

In this connection, it is important to note that the 
size of d should be measured with respect to 2"' ac- 
cording to the correct interpretation (2)- (3), not with 
respect to 1 according to the incorrect interpretation. 
This has been a major source of confusion, that since 
the system is evidently secure or ideal when a crite- 
rion takes the value zero hence it should be secure 
for a small value of the criterion. Yes, this is correct 
if "smallness" is measured in the correct scale, but 1 
is not always the scale, an elementary point that is 
often forgotten when relative dimensional measure is 
ignored. 

Similarly, the criterion d as "distinguishability ad- 
vantage" is used to justify as a security criterion 
in [23], which is also the justification for using vari- 
ational distance in some classical cryptography work 
brought up in the last paragraph of [1]. While the 
distinguishability advantage was only established for 
binary decisions, it is now established [5] for N-ary 
decisions for N between 2 and 2'. However, the rel- 
evant point in this connection is that the required 
level e in < e depends on what N in the N-ary de- 
cision is. A value good compared to ^ for N=2 may 
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be very inadequate relative to 1/N for N = 2', as 
we just discussed. This N-ary issue is another reason 
why composition security proof has to be spelled out 
precisely and quantitatively. Security is a quantita- 
tive issue through and through. Further discussion of 
such d meaning is given in [4]. 

The quantitative counter-example in [1] is irrele- 
vant to begin with since we never deny (1) in its cor- 
rect sense and we only insist (HY) is necessary for 
a near-uniform K when I is large. It may be men- 
tioned that the counter-example uses a very strict 
meaning for his vague condition (HY) that neither 
Yuen nor Hirota ever indicated. The construction 
in the counter-example betrays the same confusion 
which underlies the erroneous interpretation of d [7- 
8]. In the counter-example, (5 or li or e is fixed at 2^' 
and there is no room for another e = 10~^° "by con- 
struction"! This is one conspicuous example of the 
several incoherences in [1]. 

In classical cryptography practice, encryption se- 
curity is based on complexity, search for known- 
plaintext attacks on symmetric key ciphers and other 
computational ones in asymmetric key ciphers. The 
information theoretic security we talk about here for 
QKD plays no role except for one-time pad. Thus, 
the claim of [1] that classical cryptography is com- 
promised without a small enough d is false, for this 
and the following reasons. 

The bound storage model [28] with controllable in- 
formation theoretic security is not used in practice 
while it has a criterion related to d, but there is a 
security parameter in [28] that could make it arbi- 
trarily small which is not available in QKD. In par- 
ticular, the key length I itself is not such a parameter 
once the proper criterion is employed in QKD [2], a 
point that will be elaborated in the next section IV. 
On the other hand, security is not fully established 
in [28] unless the criterion value goes to zero, pre- 
cisely because N-ary decisions as well as Eve's bit 
error rate arc not treated. In fact, security under 
known-plaintext attacks, which is the real issue for 
symmetric key ciphers [3] , is also not treated in [28] . 

In public key cryptography the variational dis- 
tance criterion from complexity consideration plays 
no role in practice. In fact the probabilistic encryp- 
tion schemes that utilize such theory is not used due 
to its slow speed. Similar to [28], security for public 
key is not established in principle for N-ary decisions. 
Eve's bit error rate, and for known-plaintext attacks. 

The actual situation is that other than one-time 
pad, no protocol in classical cryptography has been 
proven secure, information theoretically or compu- 
tationally. Cryptography is still very much an art. 
Quantum cryptography aspires to provable security. 



a lofty goal that has been repeatedly claimed to be 
achieved from numerous errors of reasoning. Since se- 
curity is a serious matter and cannot be established 
experimentally, we shoiild examine all the security 
proof steps more carefully. A concise discussion of 
such steps and the state of QKD security proofs is 
given next. 

IV QKD SECURITY PROOF 
STATUS 

There are five main steps involved in the general se- 
curity proof of a BB84-type QKD protocol, assuming 
the physical modelling is complete and correct: 

(i) Pick a security criterion and establish its oper- 
ational guarantee is adequate; 

(ii) Measure the quantum bit error rate (QBER) on 
the checked qubits and transfer it with proper 
statistical margin to the sifted key K"; 

(iii) Bound Eve's relevant information on K" under 

an arbitrary joint attack; 

(iv) Apply an open error correcting code (EEC) and 
bound Eve's information on the corrected key 
K'; 

(v) Apply an open privacy amplification code 
(PAC) to generate the final key K and bound 
Eve's information on K according to the cho- 
sen criterion to obtain its quantitative level of 
security. 

Each of these five steps has been treated incor- 
rectly since the early days of QKD security proofs. 
At present, step (i) is almost resolved (apart from 
Eve's general bit error rate) in one way through the 
criterion d via (2)- (5) above. Step (v) can be resolved 
by the classical Leftover Hash Lemma [29]. We will 
discuss the other three steps in turn, the main im- 
pediment to progress in security proof is from steps 
(iii) and (iv). 

Historically the Shor-Preskill proof [30] is most 
influential and widely quoted, but it is incom- 
plete/incorrect for all five steps. Here it will be used 
as a representative and the other security approaches 
and proofs other than [13] will not be discussed. The 
Shor-Preskill proof employs the mutual accessible in- 
formation criterion la without insisting it be small 
enough. (In contrast to the impression from [21,22], 
the la criterion is actually fine if its level is at or below 
2-' for an l-hit key K [31].) The transfer of QBER is 
later amended in [32] for general joint attacks, which 
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is still incorrect because it involves classical count- 
ing instead of qubit counting. It appears that correct 
quantum counting can be developed [33] , which gives 
wider fluctuation or lower security level with a factor 
of two reduction in the exponent. 

The major difficulty in QKD security proof arises 
from the correlation between key bits that are intro- 
duced by Eve's active joint attack and the user's ECC 
and PAC. To account for such correlation from a joint 
attack, step (iii) has mostly been achieved by some 
sort of symmetrization which does not appear to be 
valid. How does one get symmetry from an asymmet- 
ric situation? The usual argument (see, for example, 
the reduction of a general attack to collective attack 
in [7]) involving an openly known permutation can- 
not do any work since Eve knows it and could just 
rearrange back. A new argument is used in [13] which 
involves incorrect classical counting on qubits similar 
to [32] and moreover, does not work for sufficiently 
small d [15]. 

The information Eve has on the chosen ECC and 
PAC arc not accounted for in the Shor-Preskill proof. 
In a direct development of the Shor-Preskill ap- 
proach, Hayashi has recently incorporated such in- 
formation for ECC [34] and PAC [35], which are yet 
to be evaluated for concrete protocols under general 
attack. In the meantime, the ECC information leak 
expression 

leakEc = /i(QBER) (7) 

where h{-) is the binary entropy function, is employed 
by him [36] and in fact universally [9,13,37] to ac- 
count for such leak. It is pointed out [15] that there 
is the possibility of information leak from ECC sim- 
ilar to quantum information locking leak [15] that 
undermines inadequate values of accessible informa- 
tion as a security criterion, and which is neglected in 
the expression (7). Furthermore, (7) can be justified 
only for collective attacks asymptotically. Collective 
attack is extremely restrictive. Eve can launch what 
is called a joint attack without any entanglement by 
just attacking a portion of the key bits (which seems 
to suggest already that collective attacks cannot be 
optimal for any of Eve's aim, not to mention for this 
leakEc issue). Indeed, no justification for such a cru- 
cial treatment of step (iv) by (7) has ever been spelled 
out because there is none. It cannot be; true for all 
attacks if one examines its meaning [15]. This ECC 
information leakage problem (iv) and also the joint 
attack problem (iii) appear to be very difficult to re- 
solve in QKD security proofs. 

The condition (7) by itself shows that the near- 
universal step of subtracting it from the generated 
key bits to get the final K is invalid, unless pc^rhaps 
when the d level of K is so small that (2)-(3) imply the 



bits are nearly imiform and K functions effectively as 
U. This is a problem even if the users decide that a 
given large d level is sufficient for security. The se- 
curity proof itself is supposedly carried out with uni- 
form bits in the amount (7). Note that Even could 
launch a joint attack just to invalidate (7) regard- 
less of whether collective attack is optimum from the 
viewpoint of her information gain on K. She may 
want to minimize the users' key rate which may not 
turn out positive. 

Apart from all these theory problems, the security 
proof claims are often used by experimentalists to 
claim security for their systems in an invalid way. For 
example, the Shor-Preskill asymptotic key rate is of- 
ten quoted as the system capability, with no mention 
of the criterion and its quantitative level. Equally 
significantly, Shor-Preskill only claimed to have es- 
tablished such rate for a joint CSS code as ECC and 
PAC. In [38], for example, the cascade reconciliation 
protocol is used for error correction which has nu- 
merous problems [39] and universal hashing is used 
for PAC. However, it has never been shown that the 
Shor-Preskill key rate applies to such error correction 
and privacy amplification procedures. 

The asymptotic convergence rate for various crite- 
ria yields the actual (asymptotic) key rate for fixed 
levels of d or pi [2,25], and is not given in [24] for its 
mutual information criterion. In this connection, we 
would like to bring out a common misconception con- 
cerning QKD security. Since [30] it is often thought 
that as long as the key rate is below a certain thresh- 
old, security level can be made arbitrarily close to 
the ideal when the key length I is indefinitely in- 
creased. That is, I is taken to be a security parame- 
ter, and that is likely why only the secure key rate is 
quoted in many papers including [38]. Perhaps this 
is thought to be in analogy with Shannon's Channel 
Coding Theorem [24], which says that for data rate 
below capacity, the error rate can be made arbitrar- 
ily small for long enough block length. Sometimes 
it is thought that finite privacy amplification is what 
renders this untrue. We would like to point out here 
that the problem is present even asymptotically for 
any I ^ oo, as follows [2]. 

For key rate below a threshold, let us assume it 
is indeed proved that Eve's accessible information la 
(or d) goes to as ^ — >■ oo, exponentially as ~ 2""^' 
for some < A < 1, 

d ~ 2"^' or la/l ~ 2"^' (8) 

The situation for finite I is the same. The security 
level for those / bits is very different depending on 
what exactly A is. It is near ideal for A = 1 but 
very far from ideal for A << 1. Indeed, Eve's max- 
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iimim probability pi of estimating the whole K sets 
the limit on the number of uniform bits that can be 
generated since pi = 2~" for n uniformly distributed 
bits. Thus, it is the rate of pi or cquivalcntly la/l 
going to zero that determines the rate of uniform key 
generation, not the original key rate threshold [2,15]. 
It turns out the convergence rate A in (8) is very 
small for d in [13], and not evaluated for la/l in other 
proofs except [27] which leads to an even smaller A 
[14]. With d = 10-2" and I = 10^, A - | x 10"^ 
resulting in 66 bits guarantee of (2)-(3) for 10^ bits, 
or just 22 bits from (4) after Markov inequality is ap- 
plied. In [13] the best d = IQ-^" or d^/^ > 10-^ and 
in [14] la/ 1 ~ 10-6 equivalent to d^/^ ~ IQ-^. 



One can relax uniform K to e-secrccy via e-smooth 
entropy [40]. Intuitively, one cannot expect much 
would be accomplished when e is only moderately 
larger than 2~K In fact, even for very large d for a 
given I, the results of [13] shows the key rate is still 
very low. 



Thus, the exchange of key rate and security level is 
a fundamental fact in all QKD protocols, asymptotic 
or finite, and I is not a security parameter. In fact, 
one needs to prove that a positive exponent A > 
would result in (8) which is far from guaranteed. This 
is especially the case when all system imperfections 
and message authentication bits are taken into ac- 
count. Together with the numerical values obtained 
in [13], this fundamental tradeoff between key rate 
and security level gives a grim picture of the useful- 
ness of BB84 type protocols. 



In QKD security proofs there are numerous prob- 
lems associated with physical modelling that have 
been ignored or neglected. We may point out the case 
of general lossy channel security [16], photon number 
splitting attacks on multi-photon sources and decoy 
states [18], and hetcrodync-resend attack in CV-QKD 
[19]. Security is seriously undermined in the last two 
situations against the prevalent security claims on 
them. In particular, a grave issue that has been gen- 
erally overlooked is to what extent the users could 
accurately determine the various system parameters 
such as loss, a serious robustness issue for security. 
The well known detector blinding attacks [41] shows 
detailed detector behavior has to be explicitly repre- 
sented in a real security proof [17], but so far it has 
not been done. 



V COMMON MISCONCEP- 
TIONS ON QKD SECU- 
RITY 

The list in the following corrects some major miscon- 
ceptions on QKD security, most of which have been 
discussed in this paper as part of our response to [1]. 

(a) Any single-number security criterion, other than 
the wrong interpretation of d in [7,8], is not suf- 
ficient for security by itself. For operationally 
meaningful security guarantee, it has to be quan- 
titatively reduced to bounds on Eve's various suc- 
cess probabilities in estimating segments of the 
key and also her average bit error rate. 

(b) One cannot prescribe, as done in [1], that some 
chosen numerical level of a criterion is always suf- 
ficient for security when the level is far from ideal. 
It is the application user of the cryptosystem who 
decides what level is adequate for a specific ap- 
plication. 

(c) There is a fundamental exchange between key 
rate and security level. It is not the case that 
security can be made arbitrarily close to ideal 
for key rate below a certain threshold. It is the 
cryptosystem designer's responsibility to evalu- 
ate such quantitative tradeoff. The results of [13] 
give poor security level even at very low key rate. 

(d) Contrary to widespread impression, there is no 
valid QKD general security proof in the litera- 
ture. For example, the error correction step has 
never been treated correctly. The burden of proof 
is on those who claim security, not on other to 
produce a specific counter-example on the secu- 
rity claim. 

(e) As a consequence of (d) and in view of the 
fundamental difficulties discussed in this paper, 
QKD is at present no different in security status 
from other cryptosystems under study or in use. 
It does not have the advantage of having been 
proved unconditionally secure in principle. 

(f) The problem of complete system representation 
for security claim is not a "practical security" is- 
sue for the application user, but rather a basic 
one. The incomplete modelling of system com- 
ponent behavior, such as photodetector tempo- 
ral response to different input signal levels, is not 
a mere "side channel" issue but a main issue of 
model completeness, without which there can be 
no proof of security. 
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VI CONCLUSION 

It is hard to avoid the impression that Eve's stand- 
point has rarely been taken seriously in the literature 
and the main concern has been to claim security. A 
common mistake in general security proofs is to an- 
alyze only one type of attacks but claiming uncondi- 
tional security against all possible attacks. Security 
is a serious matter. There are an unlimited number 
of attack scenarios, thus security can only be estab- 
lished theoretically if at all and the burden of proof is 
on those who claim security. Attacks from the Nor- 
way group [41] shows how dangerous a faulty claim 
may be, with security totally compromised in an un- 
expected way, a situation actually familiar in conven- 
tional cryptography. When addressing security issues 
it would be good to keep the following question in 
mind: 

How did we come to the present QKD security 
predicament with endless invalid security proofs? 
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